upgrading OpenSSL

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

upgrading OpenSSL

Don Lewis-2
The version of OpenSSL that we bundle with trunk, 1.0.2p, has three CVEs
and I'm attempting to upgrade it to 1.0.2t.  One problem I ran into is
that OpenSSL doesn't support Microsoft's assembler and now requires
NASM.  That will be something that we will have to add as a hard
requirement for Windows.

Ideally we would upgrade to 1.1.1 because 1.0.2 goes EOL upstream at the
end of the year.  Unfortunately there are some API changes in 1.1.1 that
break the serf build.  Upgrading to the latest serf (which we should do
anyway) requires scons, so this upgrade will be non-trivial.

For AOO418, we really need to upgrade beyond OpenSSL 0.9.8.  That
version doesn't support anything newer that TLS 1.1, which is due to be
deprecated in 2020.  Websites will stop supporting TLS 1.1, and our
users will then have problems downloading extensions and upgrades from
within OpenOffice.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upgrading OpenSSL

Peter Kovacs-3
Serf is dropping scon, and with 4.0 supportung cmake, too.
Not that it changes a lot.
There was a thread with the request of feedback quite a while back.

Am 7. Oktober 2019 00:56:35 MESZ schrieb Don Lewis <[hidden email]>:

>The version of OpenSSL that we bundle with trunk, 1.0.2p, has three
>CVEs
>and I'm attempting to upgrade it to 1.0.2t.  One problem I ran into is
>that OpenSSL doesn't support Microsoft's assembler and now requires
>NASM.  That will be something that we will have to add as a hard
>requirement for Windows.
>
>Ideally we would upgrade to 1.1.1 because 1.0.2 goes EOL upstream at
>the
>end of the year.  Unfortunately there are some API changes in 1.1.1
>that
>break the serf build.  Upgrading to the latest serf (which we should do
>anyway) requires scons, so this upgrade will be non-trivial.
>
>For AOO418, we really need to upgrade beyond OpenSSL 0.9.8.  That
>version doesn't support anything newer that TLS 1.1, which is due to be
>deprecated in 2020.  Websites will stop supporting TLS 1.1, and our
>users will then have problems downloading extensions and upgrades from
>within OpenOffice.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [hidden email]
>For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: upgrading OpenSSL

Branko Čibej
On 07.10.2019 01:23, Peter Kovacs wrote:
> Serf is dropping scon,

Nope, we're just adding a CMake build. Scons is still supported.

> and with 4.0 supportung cmake, too. Not that it changes a lot.

It actually does, the CMake build also properly supports latest
CMake-enabled APR and APR-Util builds.

> There was a thread with the request of feedback quite a while back.

Yes, there was. I asked someone to test the latest 1.4.x branch (or
trunk), but didn't get any feedback. Sadly I don't have time to set up
an AOO build environment.

On the bright side, the Serf 1.4.x branch supports OpenSSL 1.1.x 
(tested on Windows, Linux and macOS).

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upgrading OpenSSL

Matthias Seidel
Hi Branko,

Am 08.10.19 um 12:23 schrieb Branko Čibej:

> On 07.10.2019 01:23, Peter Kovacs wrote:
>> Serf is dropping scon,
> Nope, we're just adding a CMake build. Scons is still supported.
>
>> and with 4.0 supportung cmake, too. Not that it changes a lot.
> It actually does, the CMake build also properly supports latest
> CMake-enabled APR and APR-Util builds.
>
>> There was a thread with the request of feedback quite a while back.
> Yes, there was. I asked someone to test the latest 1.4.x branch (or
> trunk), but didn't get any feedback. Sadly I don't have time to set up
> an AOO build environment.
Well, I was a bit overambitious then, trying to update Serf in my test
build.
It turned out that I wasn't able to do it and no one else did try...

>
> On the bright side, the Serf 1.4.x branch supports OpenSSL 1.1.x 
> (tested on Windows, Linux and macOS).

With Don's recent commits for OpenSSL maybe we now have the chance to
take a second look at updating Serf? ;-)

Regards,

   Matthias

>
> -- Brane
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


smime.p7s (5K) Download Attachment